Stefan Fritsch wrote:
On Wednesday 27 February 2008, Nick Boyce wrote:
>
But it seems to me that simply enabling the --unrar parameter of clamscan would not entail incorporating or distributing any unrar code at all - the code to parse the --unrar parameter and call the non-free unrar binary if specified surely belongs to ClamAV alone ?Note that unrar-nonfree has no security support (like all packages in non-free) . Using it to automatically process potentially malicious content is a bad idea, IMHO. In fact, unrar-nonfree in stable had a security issue until the release of etch r3 (CVE-2007-0855).
Ah ... damn, didn't realise that - a bit like Ubuntu's "universe" I suppose ... security fixes not guaranteed, but are possible as the source is available.
Don't know what to do now, especially as this is currently still a Sarge system :-( I might just disable RAR scanning till I upgrade it.
Thanks for the heads up. Nick Boyce -- The owls are not what they seem.